Disabling a user for risk-based authentication (RBA) prevents the user from accessing RBA-protected resources. The system retains the user's RBA-related data, including the user's authentication history and device history. (Devices remain in the user device history according to the device administration settings in the RBA policy.)